Overview

overview

10

Static

static

3

b0dcbb32ee...50.exe

windows7-x64

10

b0dcbb32ee...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 12:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe

  • Size

    1.4MB

  • MD5

    406587050e6220d2db4819720e7d62e1

  • SHA1

    2692ea5a1497d0d0bd429b8546dad520432f44dd

  • SHA256

    b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150

  • SHA512

    87d3af61f6a95a3fe7e280dfad6d3ee2b7fffcb1a1a8b88908d3dbe46b53f0500927e588df0a0f314493216879e797a683e6125e5480f5ec46972039f899ee12

  • SSDEEP

    24576:Ui2Tro2H2HESq2eWJ6MQjySjysIrxSpwADf3qN1PvS:UxTc2H2tFvduySDIFGDf3qN1nS

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe
    "C:\Users\Admin\AppData\Local\Temp\b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3480
    • C:\Users\Admin\AppData\Local\Temp\HD_b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe
      C:\Users\Admin\AppData\Local\Temp\HD_b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1060
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:4700

Network

  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    60.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    580KB

    MD5

    63af77466f47c62575f2c7436054e7d1

    SHA1

    df7dc110326e9102833df6660eab0b907460305c

    SHA256

    5b80aaf17fde3cf47fc956990009eea74847b0f5685e62e16c32da99fa6499f2

    SHA512

    0584561d5d1090729430657f58a6347dbfbcfa97eca9af4b28f76154a34ee47bedf18af4b6aa2c7851b67139e2f5bc43a7a25d4a6411d2770277e9b0e76070f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_b0dcbb32ee1106570f6438451c8fb9e9e6ffda54ff73bdd7779a8b156cd53150.exe
    Filesize

    900KB

    MD5

    e6213cec602f332bf8e868b7b8bf2bb1

    SHA1

    593775390b8a474a0bdb8a49b5d26b50b6e3cace

    SHA256

    4478f6fcfd2fc9be012668592bfbf6838a115d983f9d30171669b20cafe529b9

    SHA512

    24f96cd7a5043547997167f46c32381ca86932fe7d3a9cf32edd72e7a0cc0fa165152246da913c56d124d1f821e00f09872aa0e3dff23b655e83d9676e14482f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • memory/1144-25-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1144-20-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1144-23-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1144-22-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1144-21-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4700-30-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4700-32-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4700-35-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4960-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4960-11-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4960-13-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4960-12-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.